Globus Authorization Callouts (Pre-Web Services)

Note: This information is compatible with the pre-Web Services Security in Globus Toolkit version 3.2 and higher.

Overview

The Globus Toolkit version 3.2 introduces the ability to customize gridmap lookup (currently available in the Gatekeeper and GridFTP servers) as well as a mechanism for doing fine-grained authorization in the GRAM Jobmanager. Both of these features were built upon a new callout library based on runtime library loading. For information specific to these callouts take a look at the following two sections:

Gridmap Callout

The updated code contains a replacement for the gridmap lookup function used in previous versions of the Globus Toolkit. The replacement function looks for the callout configuration file and checks whether any mapping or authorization callouts are defined. If any callouts are defined, the function proceeds to call the defined callouts. If no mapping callout is defined or if no configuration file was found the function behaves like the gridmap lookup function it replaces (i.e. it does the normal Globus gridmap lookup).
A paper describing a system using these callouts for integration with a site authorization system can be found here

GRAM callout

The GRAM callout was implemented by placing explicit calls to the callout API in the GRAM Jobmanager code. These calls were placed at any of the entry points to Jobmanager functionality. Similar to the gridmap callout, these calls look for the callout configuration file, check whether any GRAM callouts are defined and then call any callouts that were found. Should no callouts be defined then the Jobmanager code will behave just like in previous releases of the toolkit (no authorization in the Jobmanager itself).

Developer Documentation

This section provides documentation resources for authorization callout developers.

API & Code Documentation

Writing your own callout package

These instructions are not meant to be comprehensive and will improve as questions come up.

Follow the directions on the CVS page for building the GNU tools (ie follow steps 1-5) used for bootstrapping Globus packages. Now that you have the right tools, you can modify the example callout package to suit your needs by inserting your source and changing the Makefile.am, configure.in, pkgdata/pkg_data_src.gpt.in files.

Once you have made your modifications, run the bootstrap script to regenerate build related files. Once you have regenerated the build environment, you can build the package using "./configure --with-flavor=" followed by "make" or "make install". If everything seems to be working to satisfaction, you can generate a source package by running "make dist".

Deployment Information

The current version of the code checks the following locations (in order) for the callout configurations file:
  • $GSI_AUTHZ_CONF
  • /etc/grid-security/gsi-authz.conf
  • $GLOBUS_LOCATION/etc/gsi-authz.conf
  • $HOME/.gsi-authz.conf
The code defines the following abstract callout types: These are the abstract types to be used in the callout configuration file. The abstract type indicates a callback that takes certain arguments and provides certain functionality. You may define several callbacks of the same abstract type.

Downloads

Building Example Packages

To build and install the example packages you should do the following:
  • Install the Globus Toolkit version 3.2 or later
  • Make sure $GLOBUS_LOCATION and $GPT_LOCATION are set correctly
  • Run "${GPT_LOCATION}/sbin/gpt-build <example callout package> <flavor>", where "<flavor>" is the flavor you used to install the toolkit
  • Run "${GPT_LOCATION}/sbin/gpt-build <example callout setup package> <flavor>"
  • Run "${GPT_LOCATION}/sbin/gpt-postinstall" and follow the instructions printed by the setup package